Last active
June 14, 2018 20:08
-
-
Save Cryptophobia/9e2fa9a932b1da661511951e86e5d9dd to your computer and use it in GitHub Desktop.
Encryption on weave-net
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From issue: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues/699 | |
| I've investigated using password encryption with weave. If you've followed the instructions for deploying kubernetes with KOps, the default deployment uses weave. Weave has a capability of employing password encryption. Once activated. The encryption in transit is seamless. | |
| Here are the steps so far | |
| Install Kubernetes with KOps per the z2jh documentation steps. | |
| (optional) run kubectl --namespace kube-system get pods and verify there are weave-net pods | |
| Create a password file. I did openssl rand -hex 128 >weave-passwd | |
| Create a Kubernetes Secret in the kube-system namespace | |
| kubectl create secret -n kube-system generic weave-passwd --from-file=./weave-passwd | |
| Verify the secret kubectl -n kube-system describe secret weave-passwd | |
| This is very important, the secret name (e.g. weave-passwd) and the Data label must be the same. Apparently the Data tag is picked up from the filename in the manner I created the secret. Someone more skilled with Kubernetes could possible genericize and explain this process better. I have seen in the weave documentation others use the --from_literal flag instead of the --from-file flag | |
| Edit the weave-net daemonset. I used kubectl edit --namespace=kube-system daemonset weave-net | |
| Add the following to the spec.template.spec: | |
| - name: WEAVE_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| key: weave-passwd | |
| name: weave-passwd | |
| Here key and name should be the same and should match the name of the Kubernetes Secret | |
| I'm thinking there is a one line kubectl command to accomplish step 5. I could use some help from a more experience Kubernetes person to boil this step down. | |
| 7) (optional) run kubectl --namespace kube-system get pods again and verify new pods are created. | |
| That's pretty much in. Then complete the installation of JH via the remainder of the documentatation | |
| To verify it is properly riunning | |
| after a get pods command execute: | |
| kubectl exec -n kube-system weave-net-<pod> -c weave -- /home/weave/weave --local status | |
| You should get something like: | |
| Version: 2.3.0 (up to date; next check at 2018/05/25 22:56:17) | |
| Service: router | |
| Protocol: weave 1..2 | |
| Name: 76:ce:c9:79:52:1c(ip-10-2-0-149.us-west-2.compute.internal) | |
| Encryption: enabled | |
| PeerDiscovery: enabled | |
| Targets: 3 | |
| Connections: 3 (2 established, 1 failed) | |
| Peers: 3 (with 6 established connections) | |
| TrustedSubnets: none | |
| Service: ipam | |
| Status: ready | |
| Range: 100.96.0.0/11 | |
| DefaultSubnet: 100.96.0.0/11 | |
| and note the encryption status is enabled | |
| To patch it: | |
| kubectl patch --namespace=kube-system daemonset/weave-net --type json -p '[ { "op": "add", "path": "/spec/template/spec/containers/0/env/0", "value": { "name": "WEAVE_PASSWORD", "valueFrom": { "secretKeyRef": { "key"\ : "weave-passwd", "name": "weave-passwd" } } } } ]' | |
| The preceeding replaces step 6 above | |
| To remove encryption: | |
| kubectl patch --namespace=kube-system daemonset/weave-net --type json -p '[ { "op": "add", "path": "/spec/template/spec/containers/0/env/0", "value": { "name": "WEAVE_PASSWORD", "valueFrom": { "secretKeyRef": { "key"\ : "weave-passwd", "name": "weave-passwd" } } } } ]' | |
| "Peace of mind" testing can be had by monitoring | |
| tcpdump -A port 6783 on the any node running a JH pod |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment